[xiph-commits] r14499 - trunk/theora/lib/dec
tterribe at svn.xiph.org
tterribe at svn.xiph.org
Wed Feb 13 10:46:49 PST 2008
Author: tterribe
Date: 2008-02-13 10:46:48 -0800 (Wed, 13 Feb 2008)
New Revision: 14499
Modified:
trunk/theora/lib/dec/decinfo.c
Log:
Don't eat up tons of memory on invalid comment lengths.
Modified: trunk/theora/lib/dec/decinfo.c
===================================================================
--- trunk/theora/lib/dec/decinfo.c 2008-02-13 10:20:35 UTC (rev 14498)
+++ trunk/theora/lib/dec/decinfo.c 2008-02-13 18:46:48 UTC (rev 14499)
@@ -108,7 +108,7 @@
long len;
/*Read the vendor string.*/
len=oc_unpack_length(_opb);
- if(len<0)return TH_EBADHEADER;
+ if(len<0||theorapackB_bytes(_opb)+len>_opb->storage)return TH_EBADHEADER;
_tc->vendor=_ogg_malloc((size_t)len+1);
oc_unpack_octets(_opb,_tc->vendor,len);
_tc->vendor[len]='\0';
@@ -122,7 +122,7 @@
_tc->comments*sizeof(_tc->user_comments[0]));
for(i=0;i<_tc->comments;i++){
len=oc_unpack_length(_opb);
- if(len<0)return TH_EBADHEADER;
+ if(len<0||theorapackB_bytes(_opb)+len>_opb->storage)return TH_EBADHEADER;
_tc->comment_lengths[i]=len;
_tc->user_comments[i]=_ogg_malloc((size_t)len+1);
oc_unpack_octets(_opb,_tc->user_comments[i],len);
More information about the commits
mailing list